@standardagents/builder 0.18.3 → 0.19.1

package/dist/built-in-routes.js

@@ -63365,11 +63365,19 @@ function platformEndpoint(env2) {
   return FALLBACK_PLATFORM_ORIGIN;
 }
 function hostedInstanceRedirectId(req, env2) {
-  const configured = env2.STANDARD_AGENTS_PROJECT_ID || env2.STANDARD_AGENTS_INSTANCE_ID || env2.STANDARD_AGENTS_INSTANCE_SUBDOMAIN;
+  const configured = env2.STANDARD_AGENTS_INSTANCE_HOST || env2.STANDARD_AGENTS_INSTANCE_SUBDOMAIN || env2.STANDARD_AGENTS_INSTANCE_ID;
   if (typeof configured === "string" && configured.trim()) {
     return configured.trim();
   }
-  return new URL(req.url).hostname;
+  const hostname = new URL(req.url).hostname;
+  if (hostname && hostname !== "localhost" && hostname !== "127.0.0.1" && hostname !== "standardagents.internal") {
+    return hostname;
+  }
+  const projectId = env2.STANDARD_AGENTS_PROJECT_ID;
+  if (typeof projectId === "string" && projectId.trim()) {
+    return projectId.trim();
+  }
+  return hostname;
 }
 function platformLoginUrl(req, env2, returnTo) {
   const url = new URL("/login", platformEndpoint(env2));
@@ -63379,6 +63387,14 @@ function platformLoginUrl(req, env2, returnTo) {
   url.searchParams.set("return_to", next || "/");
   return url.toString();
 }
+function platformLogoutUrl(req, env2, returnTo) {
+  const url = new URL("/auth/logout", platformEndpoint(env2));
+  url.searchParams.set("redirect", hostedInstanceRedirectId(req, env2));
+  const reqUrl = new URL(req.url);
+  const next = returnTo && returnTo.startsWith("/") && !returnTo.startsWith("//") ? returnTo : `${reqUrl.pathname}${reqUrl.search}`;
+  url.searchParams.set("return_to", next || "/");
+  return url.toString();
+}
 function sanitizeUsername(input) {
   const normalized = input.trim().toLowerCase().replace(/[^a-z0-9_-]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 50);
   return normalized || "standard-agents";
@@ -63851,6 +63867,10 @@ var diagnostics_get_default = defineController2(async ({ tools, prompts, promptN
 
 // src/api/events.get.ts
 var events_get_default = defineController2(async ({ req, env: env2 }) => {
+  const authResult = await requireAuth(req, env2);
+  if (authResult instanceof Response) {
+    return authResult;
+  }
   if (req.headers.get("upgrade")?.toLowerCase() !== "websocket") {
     return Response.json(
       { error: "This endpoint requires a WebSocket connection" },
@@ -65785,7 +65805,7 @@ var config_get_default2 = defineController2(async ({ req, env: env2 }) => {
   const platformConnected = hasPlatformApiKey(env2) || !!findLocalBootstrapSession(void 0, env2);
   const localPassword = typeof env2.SUPER_ADMIN_PASSWORD === "string" && env2.SUPER_ADMIN_PASSWORD.length > 0;
   const hosted = isPlatformHosted(env2);
-  const standardAgentsLogin = hosted;
+  const standardAgentsLogin = false;
   return {
     github: githubConfigured,
     google: googleConfigured,
@@ -65885,26 +65905,57 @@ var login_post_default = defineController2(async ({ req, env: env2 }) => {
   }
 });
 
+// src/api/auth/_logout.ts
+async function deleteLocalSession(req, env2) {
+  const authHeader = req.headers.get("Authorization");
+  const token = authHeader && authHeader.startsWith("Bearer ") ? authHeader.substring(7) : readSessionCookie(req);
+  if (!token) {
+    return;
+  }
+  if (!token.includes(".") && isValidUserToken(token)) {
+    const tokenHash = await hashToken(token);
+    const agentBuilder = env2.AGENT_BUILDER.get(env2.AGENT_BUILDER.idFromName("singleton"));
+    await agentBuilder.deleteSession(tokenHash);
+  }
+}
+function clearedSessionCookie(req) {
+  return buildSessionCookie(req, "", 0);
+}
+
+// src/api/auth/logout.get.ts
+function safeReturnTo(value) {
+  if (!value || !value.startsWith("/") || value.startsWith("//")) return "/";
+  return value;
+}
+var logout_get_default = defineController2(async ({ req, env: env2 }) => {
+  try {
+    await deleteLocalSession(req, env2);
+  } catch (error) {
+    console.error("Logout error:", error);
+  }
+  const url = new URL(req.url);
+  const returnTo = safeReturnTo(url.searchParams.get("return_to"));
+  const location = isPlatformHosted(env2) ? platformLogoutUrl(req, env2, returnTo) : `${url.origin}/login`;
+  return new Response(null, {
+    status: 302,
+    headers: {
+      Location: location,
+      "Set-Cookie": clearedSessionCookie(req)
+    }
+  });
+});
+
 // src/api/auth/logout.post.ts
 var logout_post_default = defineController2(async ({ req, env: env2 }) => {
   const clearCookie = (body, status = 200) => new Response(JSON.stringify(body), {
     status,
     headers: {
       "Content-Type": "application/json",
-      "Set-Cookie": buildSessionCookie(req, "", 0)
+      "Set-Cookie": clearedSessionCookie(req)
     }
   });
   try {
-    const authHeader = req.headers.get("Authorization");
-    const token = authHeader && authHeader.startsWith("Bearer ") ? authHeader.substring(7) : readSessionCookie(req);
-    if (!token) {
-      return clearCookie({ success: true });
-    }
-    if (!token.includes(".") && isValidUserToken(token)) {
-      const tokenHash = await hashToken(token);
-      const agentBuilder = env2.AGENT_BUILDER.get(env2.AGENT_BUILDER.idFromName("singleton"));
-      await agentBuilder.deleteSession(tokenHash);
-    }
+    await deleteLocalSession(req, env2);
     return clearCookie({ success: true });
   } catch (error) {
     console.error("Logout error:", error);
@@ -68444,6 +68495,10 @@ var kv_default = defineController2(async ({ req, params, env: env2, url }) => {
 
 // src/api/threads/[id]/logs.get.ts
 var logs_get_default = defineController2(async ({ req, params, env: env2 }) => {
+  const authResult = await requireAuth(req, env2);
+  if (authResult instanceof Response) {
+    return authResult;
+  }
   const url = new URL(req.url);
   const threadId = params.id;
   if (!threadId) {
@@ -68708,6 +68763,10 @@ var stop_post_default = defineController2(async ({ params, env: env2 }) => {
 
 // src/api/threads/[id]/stream.ts
 var stream_default = defineController2(async ({ req, params, env: env2 }) => {
+  const authResult = await requireAuth(req, env2);
+  if (authResult instanceof Response) {
+    return authResult;
+  }
   const threadId = params.id;
   if (!threadId) {
     return Response.json({ error: "Thread ID required" }, { status: 400 });
@@ -68945,12 +69004,20 @@ var name_get_default7 = defineController2(async ({ params, url, prompts, agents,
 
 // src/api/auth/sa/callback.get.ts
 var SESSION_TTL_SECONDS2 = 30 * 24 * 60 * 60;
-function safeReturnTo(value) {
+function safeReturnTo2(value) {
   if (!value || !value.startsWith("/") || value.startsWith("//")) return "/";
   return value;
 }
-function failRedirect(req, reason) {
+function failRedirect(req, env2, reason) {
   const origin = new URL(req.url).origin;
+  if (isPlatformHosted(env2)) {
+    const target = new URL(platformLoginUrl(req, env2, "/"));
+    target.searchParams.set("error", reason === "forbidden" ? "no_instance_access" : "instance_login_failed");
+    return new Response(null, {
+      status: 302,
+      headers: { Location: target.toString() }
+    });
+  }
   return new Response(null, {
     status: 302,
     headers: { Location: `${origin}/login?sa_error=${encodeURIComponent(reason)}` }
@@ -68958,12 +69025,12 @@ function failRedirect(req, reason) {
 }
 var callback_get_default = defineController2(async ({ req, env: env2 }) => {
   if (!isPlatformHosted(env2)) {
-    return failRedirect(req, "not_hosted");
+    return failRedirect(req, env2, "not_hosted");
   }
   const url = new URL(req.url);
   const handoff = url.searchParams.get("handoff") || url.searchParams.get("token");
   if (!handoff) {
-    return failRedirect(req, "invalid_response");
+    return failRedirect(req, env2, "invalid_response");
   }
   const configuredProjectId = typeof env2.STANDARD_AGENTS_PROJECT_ID === "string" ? env2.STANDARD_AGENTS_PROJECT_ID : void 0;
   const payload = await verifyPlatformSignedPayload(
@@ -68975,10 +69042,10 @@ var callback_get_default = defineController2(async ({ req, env: env2 }) => {
     }
   );
   if (!payload || !payload.platform_user_id || !payload.role) {
-    return failRedirect(req, "forbidden");
+    return failRedirect(req, env2, "forbidden");
   }
   if (!configuredProjectId && payload.project_id !== hostedInstanceRedirectId(req, env2)) {
-    return failRedirect(req, "forbidden");
+    return failRedirect(req, env2, "forbidden");
   }
   const session = await mintLocalSessionForPlatformUser(env2, {
     platform_user_id: payload.platform_user_id,
@@ -68988,7 +69055,7 @@ var callback_get_default = defineController2(async ({ req, env: env2 }) => {
     avatar_url: payload.avatar_url ?? null,
     role: payload.role
   });
-  const returnTo = safeReturnTo(url.searchParams.get("return_to"));
+  const returnTo = safeReturnTo2(url.searchParams.get("return_to"));
   return new Response(null, {
     status: 302,
     headers: {
@@ -70108,6 +70175,7 @@ var routeHandlers = {
   "POST:/auth/bootstrap": bootstrap_post_default,
   "GET:/auth/config": config_get_default2,
   "POST:/auth/login": login_post_default,
+  "GET:/auth/logout": logout_get_default,
   "POST:/auth/logout": logout_post_default,
   "GET:/auth/me": me_get_default,
   "POST:/auth/platform-replica": platform_replica_post_default,